Second-hand ATM trade opens up fraud risk

Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant.

Robert Siciliano, a security consultant to Intelius.com and personal ID theft expert, was able to buy an ATM machine through Craigslist for $750 from a bar in Boston. The previous owners hadn’t taken the trouble to clear out the data stored by the machines, making it possible for Siciliano to easily extract a log of hundreds of credit and debit card account numbers and transaction details.

There are no regulations in the US on who can own or operate an ATM, so Siciliano was able to make the purchase without any checks. He even managed to knock $250 off the asking price of $1,000. The bar selling the ATM was going through liquidation and also selling pool tables and neon Budweiser signs.

A manual supplied with the machine gave clear instructions on how to access the sensitive data it stored.

Although the names and expiration dates of cards were not included in the logged data, there was still enough information to constitute a serious breach involving more than a thousand records. "Fraudsters might be able to fudge the name and expiration date and create counterfeit cards that could be used at self-service terminals," Siciliano explained.

Most ATM machine operators are affiliated with reputable banks. However, there's very little to stop crooks from purchasing machines and setting them up with skimmers and cameras designed to capture PINs associated with particular cards.

To carry out skimming fraud, crooks use hardware attached to the face of an ATM to record user card information and PIN codes - and that skimming hardware is easily purchased online. Alternatively, a card reader in a purchased cash machine might be blocked off and replaced with hardware that records data without allowing a transaction.

Miscreants might also want to buy machines in order to develop ideas for more sophisticated hacking or malware-based scams.

Siciliano argues that a self-regulation scheme for the cash dispenser machine business was needed. "The payment-processing card industry has PCI which, while imperfect, regulates who can trade as an online merchant. The ATM industry in the US has nothing. Anyone has purchase a cash machine," Siciliano told El Reg.

Pubs or convenience store owners in the US sell hundreds of second-hand cash machines through eBay and Craiglist, according to Siciliano, who reports he had little trouble finding a seller close to home without having the inconvenience of shipping the machine across the US.

Siciliano obtained a license to handle transactions via his machine after sending off a few faxes and making some phone calls. Crooks could still carry out crimes without going through this process by using a purchased machine (powered off a car battery and transformer or an electrical outlet) simply to record bank cards and PINs without processing transactions. Such rogue machines could be placed in a high-traffic location.

The security consultant wants to encourage greater public awareness of the dangers posed by rogue ATM machines fitted with skimmers and how to recognise possible scams. As part of this campaign, Siciliano contacted a local Fox News crew whose report (below) illustrates the risk.

Siciliano got the idea to purchase the ATM, which he bought in late September, after hearing how a machine fitted with a skimmer was placed in the lobby of a hotel hosting the Defcon hacker convention in Vegas. He intends to keep the cash machine as a prop for presentations on the dangers of identity theft. ®